CN103514405B - The detection method of a kind of buffer overflow and system - Google Patents
The detection method of a kind of buffer overflow and system Download PDFInfo
- Publication number
- CN103514405B CN103514405B CN201310284236.8A CN201310284236A CN103514405B CN 103514405 B CN103514405 B CN 103514405B CN 201310284236 A CN201310284236 A CN 201310284236A CN 103514405 B CN103514405 B CN 103514405B
- Authority
- CN
- China
- Prior art keywords
- address
- function
- instruction
- original
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses buffer overflow method and system in a kind of detection executable file, belong to field of software protection.Owing to the execution flow process of reprogramming is carried out in the return address of buffer overflow meeting coverage function, therefore the method first prejudge before function is called should return after function performs address, after function is finished actual return address after being finished of discriminant function, the return address relatively prejudged and the actual address returned, if two address differences, thinking and there occurs buffer overflow, software is the most out of service.The method can improve the safety of software.
Description
Technical field
The present invention relates to field of software protection, particularly in a kind of executable file buffer overflow inspection method and
System.
Background technology
Software, as a kind of special product, due to its digitized feature, suffers varied from appearance the most always
Attack, wherein buffer overflow attack is the attack means of a kind of common threat computer security.Pass through buffer overflow
Computer system can be controlled after implanting malicious code to software, steal significant data, even format for demolition purpose
Hard disk.Buffer overflow causes huge loss to the user of software, hinders sending out of whole Software Industry the most greatly
Exhibition.The method of current static analysis detection buffer overflow can not solve attack and the inspection to unknown attack during running software
Survey.
Source code is mainly analyzed, by morphological analysis, syntactic analysis and static semantic by existing static analysis
Analyze, the pattern of buffer overflow is mated, security breaches potential in detection program.
Static analysis in early days is mainly and source code carries out lexical scan and analysis, then carries out the dictionary provided
Join, grep instrument (grep, the global search regular expression (RE) such as used under Unix platform
And print out the line, thorough search regular expression also prints row, is a kind of powerful text search
Instrument, it can use that regular expression search text, and the row of coupling is printed.The grep family of Unix include grep,
Egrep and fgrep) that may be present in search source code dangerous built-in function is called.
LCLint be a kind of operating specification to check the instrument of code safety, use C source code file and a series of LCL
The specification that language (LCL is the Larch interface language of ANSI C language of a kind of standard, and it uses the grammer being similar to C) is write
File, as input, the most automatically checks the discordance between source file and authority file and programming tradition, thus exports phase
The warning answered.
Also have based on static analysis and detect buffer overflow based on methods such as semantic constraint analyses.
The rate of false alarm of detection method based on static analysis detection is higher, and attacks and right when can not solve running software
The detection of unknown attack.
Summary of the invention
According to an aspect of the present invention, it is provided that a kind of method of buffer overflow detecting executable file, including:
Analyze the original entrance of original document;
Analyzing the instruction calling function in original document, record calls the address of the instruction of function;
Original document is injected in the address of the original entrance of described original document and the instruction calling function, obtains being protected
The executable file protected;
When described shielded executable file runs, according to the original entrance of the described original document of record, in institute
State and access breakpoint is set at the original entrance of original document;
After described shielded executable file runs to the original entrance of described original document, according to described record
The address of the instruction calling function, at the address of instruction calling function, access breakpoint is set;
After breakpoint setup completes at above-mentioned two, control the operation of described shielded executable file, and record function
The address that after intended return address and function call complete before called, reality returns;
The ground that after intended return address and function call complete before relatively the function of described record is called, reality returns
Location;
If the two is different, then it is assumed that there is buffer overflow, software is out of service;
If the two is identical, continue to run with software.
According to an aspect of the present invention, the ground of the instruction that Article 1 performs when described original entrance is running software
Location.
According to an aspect of the present invention, described injection is directed to the code that original document interpolation is extra.
According to an aspect of the present invention, the extra code of described interpolation is to increase a new section to original document,
Module and the data of increase are injected into new section in the form of binary data.
According to another aspect of the present invention, it is provided that the system of a kind of buffer overflow detecting executable file, including:
Debugger module, instruction analysis module, overflow check module, file link module;
Described debugger module, for controlling the execution process of executable file, and it is called front intended to record function
Return address, and function call complete after the actual address returned;
Described instruction analysis module, for analyzing the original entrance in described executable file, records original entrance,
Analyzing the instruction calling function, record calls the address of function instruction;
Described overflow check module, by analyze the function of debugger module record called before intended return address and
Function call is the actual address returned after completing, if the two is different, then it is assumed that there is buffer overflow, software is out of service;
If the two is identical, then continue to run with software;
Described file link module, for the address by the original entrance of described original document and the instruction calling function
Inject original document.
The method provided according to the present invention, acquired has the beneficial effects that: first prejudge letter before function is called
Number perform after the address that should return, after function is finished, actual return address after being finished of discriminant function, compares
The return address prejudged and the actual address returned judge whether to there occurs buffer overflow, substantially increase software
Safety.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the protection process according to a preferred embodiment of the present invention.
Fig. 2 is according to schematic diagram during running paper in a preferred embodiment of the present invention.
Fig. 3 is the structural representation of PE file.
Detailed description of the invention
For making the purpose of the present invention, technical scheme and advantage clearer, develop simultaneously embodiment referring to the drawings, right
The present invention further describes.
In view of this, the invention discloses and a kind of detect the method and system of buffer overflow in executable file.Buffering
The means that district overflows be data by meticulously structure (that is, data comprise the binary machine code of the instruction of needs execution, than
As opened a command Window, or download the code of Malware specifying address) flood the return address of function, thus control
The execution authority of processing procedure sequence, therefore the present invention first prejudges the address that should return after function performs before function is called,
After after function is finished, discriminant function is finished, the actual address returned, compares the return address and reality prejudged
The address returned, if two address difference, then it is assumed that there occurs buffer overflow, software would be out of service;If two addresses
Identical, then software continues to run with, and the method increases the safety of software.
According to an embodiment of the invention, as shown in Figure 1, 2, it is provided that a kind of relief area detecting executable file
The method overflowed, specifically includes:
1. analyzed the original entrance of original document by instruction analysis module, wherein, original entrance refers to that program is transported
The address of the instruction that Article 1 performs during row, and carry out record.Wherein, according to an embodiment of the invention, described original
Entrance records in global variable, in case follow-up use.
2. instruction analysis module calls the instruction of function in analyzing original document, and record calls the address of the instruction of function.
Wherein, according to an embodiment of the invention, by described address record in the internal memory of distribution.
3. the original document that debugger module, overflow check module and instruction analysis module are analyzed by file link module
Original entrance, and call the address injection original document of the instruction of function.Wherein, according to an embodiment of the invention,
Inject and be directed to the code that original document interpolation is extra, such as, increase a new section to original document, the module that will increase
New section it is injected in the form of binary data with data.
4., time as in figure 2 it is shown, executable file after Bao Hu runs, debugger module is according to instruction analysis module record
Original entrance, arranges access breakpoint at original entrance, after running to original entrance, according to instruction analysis module record
The address of the instruction calling function, access breakpoint is set at the address of instruction calling function, after breakpoint setup completes, adjusts
Examination device module controls the operation of executable file, and records called front intended return address (wherein, the function expection of function
Return address can be so that stack to get, after entering invoked function, namely enter call instruction operand address after, be
Function return addresses can be pressed in stack by system) and function call complete after the actual address returned.Wherein, according to the one of the present invention
Individual embodiment, the function that the return address of function can be called by debugger module single step run gets, invoked function
Perform the return address that address is function after ret instruction.
5., by overflow check module, analyze the expectating address of the function return of record and actual return address, if two
Person is different, then it is assumed that there is buffer overflow, software is out of service;If the two is identical, continue to run with software.
According to an embodiment of the invention, it is provided that the system of a kind of buffer overflow detecting executable file,
Specifically include:
Debugger module, instruction analysis module, overflow check module, file link module.
Described instruction analysis module, for analyzing the original entrance in executable file, records original entrance, analyzes
Going out to call the instruction of function, record calls the address of function instruction.Wherein, original entrance refers to that when program is run, Article 1 performs
The address of instruction.
Described debugger module, for controlling the execution process of executable file, and it is called front intended to record function
Return address, and function call complete after the actual address returned.
Described overflow check module, by analyzing expectating address and the actual return that the function of debugger module record returns
Address, if the two is different, then it is assumed that there is buffer overflow, software is out of service;If the two is identical, then continue to run with soft
Part.
Described file link module, for by debugger module, overflow check module, the original entrance of original document and
Original document is injected in the address of the instruction calling function.
According to an embodiment of the invention, an embodiment is given below so that the present invention to be described.
This embodiment, as a example by the PE file of lower 32 of Microsoft's Windows system, describes according to the application one concrete
Embodiment realizes the detailed process of executable file protection.
As it is shown on figure 3, PE file be program file in Microsoft's Windows operating system (can indirectly be performed, as
DLL).PE file is referred to as the full name that transplantable execution body is Portable Execute, common EXE, DLL, OCX,
SYS, COM are PE files.PE file structure is as it is shown on figure 3, mainly include section (Section), sector table (Section
Table), PE head (PE Header) and DOS head (DOS Header).The specific definition of PE file various piece see
The Online Help of Microsoft's windows system, does not do too much introduction at this.
Below with to notepad notepad.exe, version number is 5.1, says as a example by adding buffer overflow inspection
Bright.
Instruction analysis module, finds IMAGE_NT_HEADER number according to the e_lfanew in the DOS Header of PE file
According to structure, find in file according to the NumberOfsections in the IMAGE_FILE_HEADER in IMAGE_NT_HEADER
The number of block table, in notepad, the number of sector table is 3, according to the data structure in IMAGE_NT_HEADER
ImageBase in IMAGE_OPTIONAL_HEADER32 finds the acquiescence load address of executable file, the loading of notepad
Address is 0x01000000, according in data structure IMAGE_OPTIONAL_HEADER32 in IMAGE_NT_HEADER
AddressOfEntryPoint finds the original entrance of executable file, the relative virtual ground of the original entrance of notepad
Location is 0x0000739D, and address is 0x0100739D, is recorded in global variable original entrance, IMAGE_FILE_
It is block table after HEADER, whether comprises according in the Characteristics in IMAGE_SECTION_HEADER
IMAGE_SCN_CNT_CODE judges whether it is code segment, and the .text in notepad is code segment, according in code segment
Instruction is analyzed by VirtualAddress and VirtualSize, the VirtualAddress value of code segment in notepad
It is 0x00007748 for 0x00001000, VirtualSize value, if the machine code of instruction is " call ", records this instruction institute
Address, the address of first call of notepad instruction is 0x010073A4, instructs as call 01007568.By code segment
All of call instruction address carries out record, records in the internal memory of distribution.
File link module, a newly-increased new section in the sector table in notepad, by debugger module, overflows inspection
The address looking into module, the original entrance of original document and the instruction of calling function is saved in newly-increased section, revises new file
Original entrance and the number of block table, reach inject original document purpose, for run time, be configured to new literary composition
Part.
During running paper after protection, specifically comprise the following steps that
Debugger module calls SetBreakPoint function, the original entrance of the notepad after protection
Breakpoint is set at 0x0100739D.
0x0100739D at the original entrance that debugger module commissioning test notepad arrives.
Debugger module at the address of access function under access breakpoint, as called the address of function in Article 1
Lower breakpoint at SetBreakPoint is called at 010073A4.
Debugger module runs program, runs to 0x010073A4 at access function address, and the instruction at this address is
Call 01007568, intended return address before record function is called, debugger continues single step to be followed the tracks of at 0x10007568
Code, can from stack (according to an embodiment of the invention, stack herein be storage local variable and carry out function call must
Indispensable contiguous memory region, the code that stack space is produced by compiler automatically distributes and discharges.Space requirement on heap by
Programming personnel's application and release) in obtain the expection return address of function be 0x010073A9, after function call completes, record is real
The address that border returns.
Overflow check module by analyze debugger module record function return expectating address and actual return address,
If difference, thinking and there is buffer overflow, software is out of service, if identical, continues to run with software.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All
Within the spirit and principles in the present invention, any amendment, equivalent and the improvement etc. made, should be included in the guarantor of the present invention
Within the scope of protecting.
Claims (8)
1. the method for the buffer overflow detecting executable file, it is characterised in that including:
Analyze the original entrance of original document;
Analyzing the instruction calling function in original document, record calls the address of the instruction of function;
Original document is injected in the address of the original entrance of described original document and the instruction calling function, obtains shielded
Executable file;
When described shielded executable file runs, according to the original entrance of the described original document of record, described former
At the original entrance of beginning file, access breakpoint is set;
After described shielded executable file runs to the original entrance of described original document, according to the tune of described record
With the address of the instruction of function, access breakpoint is set at the address of instruction calling function;
After breakpoint setup completes at above-mentioned two, control the operation of described shielded executable file, and record function and adjusted
The actual address returned after completing with front intended return address and function call;
The address that after intended return address and function call complete before relatively the function of described record is called, reality returns;
If the two is different, then it is assumed that there is buffer overflow, software is out of service;
If the two is identical, continue to run with software.
Method the most according to claim 1, it is characterised in that when described original entrance is running software, Article 1 performs
The address of instruction.
Method the most according to claim 1, it is characterised in that described injection is directed to original document and adds extra generation
Code.
Method the most according to claim 3, it is characterised in that the extra code of described interpolation is to increase by one to original document
Module and the data of increase are injected into new section by individual new section in the form of binary data.
5. the system of the buffer overflow detecting executable file, it is characterised in that including:
Debugger module, instruction analysis module, overflow check module, file link module;
Described debugger module, according to the original entrance of instruction analysis module record, arranges access disconnected at original entrance
Point, after running to original entrance, according to the address of the instruction calling function of instruction analysis module record, is calling function
At the address of instruction, access breakpoint is set, after breakpoint setup completes, controls the execution process of executable file, and record function quilt
Intended return address before calling, and function call complete after the address of actual return;
Described instruction analysis module, for analyzing the original entrance in described executable file, records original entrance, analyzes
Going out to call the instruction of function, record calls the address of function instruction;
Described overflow check module, by analyzing the called front intended return address of the function of debugger module record and function
The actual address returned after having called, if the two is different, then it is assumed that there is buffer overflow, software is out of service;If
The two is identical, then continue to run with software;
Described file link module, for injecting the address of the original entrance of described original document and the instruction calling function
Original document.
System the most according to claim 5, it is characterised in that when described original entrance is running software, Article 1 performs
The address of instruction.
System the most according to claim 5, it is characterised in that described injection is directed to original document and adds extra generation
Code.
System the most according to claim 7, it is characterised in that the extra code of described interpolation is to increase by one to original document
Module and the data of increase are injected into new section by individual new section in the form of binary data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284236.8A CN103514405B (en) | 2013-07-08 | 2013-07-08 | The detection method of a kind of buffer overflow and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310284236.8A CN103514405B (en) | 2013-07-08 | 2013-07-08 | The detection method of a kind of buffer overflow and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103514405A CN103514405A (en) | 2014-01-15 |
| CN103514405B true CN103514405B (en) | 2016-08-10 |
Family
ID=49897110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310284236.8A Active CN103514405B (en) | 2013-07-08 | 2013-07-08 | The detection method of a kind of buffer overflow and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103514405B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809391B (en) * | 2014-01-26 | 2018-08-14 | 华为技术有限公司 | Buffer overflow attack detection device, method and security protection system |
| CN104714885B (en) * | 2015-02-13 | 2017-12-01 | 小米科技有限责任公司 | The detection method and device of stack overflow position |
| CN104766015B (en) * | 2015-04-10 | 2018-02-13 | 北京理工大学 | A kind of buffer-overflow vulnerability dynamic testing method based on function call |
| CN107480523A (en) * | 2017-08-17 | 2017-12-15 | 郑州云海信息技术有限公司 | Buffer overflow Application way on a kind of Intel and Linux64 platforms |
| CN112784261B (en) * | 2021-01-04 | 2023-10-27 | 北京蓝军网安科技发展有限责任公司 | Method for program operation and corresponding system, computer device and medium |
| CN113094619A (en) * | 2021-04-22 | 2021-07-09 | 杭州推啊网络科技有限公司 | Method and system for detecting cheating returned by advertisement landing page |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714118A (en) * | 2009-11-20 | 2010-05-26 | 北京邮电大学 | Detector for binary-code buffer-zone overflow bugs, and detection method thereof |
| CN101866406A (en) * | 2010-06-18 | 2010-10-20 | 中国科学院软件研究所 | Stack overflow attack defense method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1662379A4 (en) * | 2003-09-04 | 2008-12-03 | Science Park Corp | False code prevention method and prevention program |
-
2013
- 2013-07-08 CN CN201310284236.8A patent/CN103514405B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714118A (en) * | 2009-11-20 | 2010-05-26 | 北京邮电大学 | Detector for binary-code buffer-zone overflow bugs, and detection method thereof |
| CN101866406A (en) * | 2010-06-18 | 2010-10-20 | 中国科学院软件研究所 | Stack overflow attack defense method |
Non-Patent Citations (1)
| Title |
|---|
| 基于返回地址保护的防止缓冲区溢出方法;黄健等;《计算机与数字工程》;20080620;第36卷(第6期);第123-126页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103514405A (en) | 2014-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103514405B (en) | The detection method of a kind of buffer overflow and system | |
| US8762948B1 (en) | System and method for establishing rules for filtering insignificant events for analysis of software program | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| US7814544B1 (en) | API-profile guided unpacking | |
| US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| CN105608391B (en) | More ELF document protection methods and system | |
| US10902129B2 (en) | Method for detecting vulnerabilities in software | |
| US9372991B2 (en) | Detecting malicious computer code in an executing program module | |
| EP3502944B1 (en) | Detecting script-based malware cross reference to related applications | |
| EP3495978B1 (en) | Method for detecting vulnerabilities in software | |
| CN107832613A (en) | A kind of computer virus processing method | |
| CN107450964A (en) | It is a kind of to be used to finding that virtual machine is examined oneself whether there is the method for leak in system | |
| US10339305B2 (en) | Sub-execution environment controller | |
| Scalco et al. | On the feasibility of detecting injections in malicious npm packages | |
| Manna et al. | Memory analysis of. net and. net core applications | |
| CN106326733A (en) | Method and apparatus for managing applications in mobile terminal | |
| CN104978226A (en) | Input/output redirection method, virtualization system and method and content delivery device | |
| CN111814119B (en) | Anti-debugging method | |
| Abbadini et al. | Lightweight cloud application sandboxing | |
| CN107066886A (en) | A kind of Android reinforces the detection method of shelling | |
| Nasim et al. | Uncovering self code modification in Android | |
| CN107798244A (en) | A kind of method and device for detecting Remote Code Execution Vulnerability | |
| CN104680043A (en) | Method and device for protecting executable file | |
| KR101207434B1 (en) | System and Method for Preventing Collision Between Different Digital Documents Protection System | |
| Lim et al. | Survey of Dynamic Anti-Analysis Schemes for Mobile Malware. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Applicant after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Applicant before: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 100193 Beijing, Haidian District, East West Road, No. 10, East Hospital, building No. 5, floor 5, layer 510 Patentee after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |